4
In this example, we look at granting (or denying) principals (or
7
To make grants, we visit grant.html. This doesn't display any
8
grant information until we select a principal.
11
... GET /@@grant.html HTTP/1.1
12
... Authorization: Basic mgr:mgrpw
13
... Referer: http://localhost:8081/@@contents.html
18
If we submit a search request, we'll get a list of principals, from
22
... POST /@@grant.html HTTP/1.1
23
... Authorization: Basic mgr:mgrpw
24
... Content-Length: 117
25
... Content-Type: application/x-www-form-urlencoded
26
... Referer: http://localhost:8081/@@grant.html
28
... field.principal.displayed=y"""
29
... "&field.principal.MA__.searchstring="
30
... "&field.principal.MA__.search=Search")
33
<option value="em9wZS5tZ3I_">Manager</option>
36
We can then choose one. If we do so, we get output that includes form
37
elements for inputing security settings:
40
... POST /@@grant.html HTTP/1.1
41
... Authorization: Basic mgr:mgrpw
42
... Content-Length: 62415
43
... Content-Type: application/x-www-form-urlencoded
44
... Referer: http://localhost:8081/@@grant.html
46
... field.principal.displayed=y"""
47
... """&field.principal.MA__.searchstring="""
48
... """&field.principal.MA__.selection=em9wZS5tZ3I_"""
49
... """&field.principal.MA__.apply=Apply""")
54
<label for="field.em9wZS5tZ3I_.role.zope.Member.0" title="Allow">
55
<input class="radioType" id="field.em9wZS5tZ3I_.role.zope.Member.0" name="field.em9wZS5tZ3I_.role.zope.Member" type="radio" value="allow" onclick="changeMatrix(this);" />
62
<label for="field.em9wZS5tZ3I_.role.zope.Member.1" title="Unset">
63
<input class="radioType" checked="checked" id="field.em9wZS5tZ3I_.role.zope.Member.1" name="field.em9wZS5tZ3I_.role.zope.Member" type="radio" value="unset" onclick="changeMatrix(this);" />
70
<label for="field.em9wZS5tZ3I_.role.zope.Member.2" title="Deny">
71
<input class="radioType" id="field.em9wZS5tZ3I_.role.zope.Member.2" name="field.em9wZS5tZ3I_.role.zope.Member" type="radio" value="deny" onclick="changeMatrix(this);" />
78
<label for="field.em9wZS5tZ3I_.permission.zope.ManageCode.0" title="Allow">
79
<input class="radioType" id="field.em9wZS5tZ3I_.permission.zope.ManageCode.0" name="field.em9wZS5tZ3I_.permission.zope.ManageCode" type="radio" value="allow" onclick="changeMatrix(this);" />
86
<label for="field.em9wZS5tZ3I_.permission.zope.ManageCode.1" title="Unset">
87
<input class="radioType" checked="checked" id="field.em9wZS5tZ3I_.permission.zope.ManageCode.1" name="field.em9wZS5tZ3I_.permission.zope.ManageCode" type="radio" value="unset" onclick="changeMatrix(this);" />
94
<label for="field.em9wZS5tZ3I_.permission.zope.ManageCode.2" title="Deny">
95
<input class="radioType" id="field.em9wZS5tZ3I_.permission.zope.ManageCode.2" name="field.em9wZS5tZ3I_.permission.zope.ManageCode" type="radio" value="deny" onclick="changeMatrix(this);" />
100
Before we submit any data, there are no grants for the root object
101
except for a one made by the testing framework that grants the manager
102
role to the test manager:
104
>>> root = getRootFolder()
105
>>> import zope.app.securitypolicy.interfaces
106
>>> grants = zope.app.securitypolicy.interfaces.IGrantInfo(root)
107
>>> grants.principalPermissionGrant('zope.mgr', 'zope.ManageCode')
108
PermissionSetting: Unset
109
>>> list(grants.getRolesForPrincipal('zope.mgr'))
110
[('zope.Manager', PermissionSetting: Allow)]
112
Now, we can submit changes. (I've actually reduced the form input
113
to just the things we want to change to both limit the text here and
114
to reduce dependencies on specific roles and permissions:
118
... POST /@@grant.html HTTP/1.1
119
... Authorization: Basic mgr:mgrpw
120
... Content-Length: 62437
121
... Content-Type: application/x-www-form-urlencoded
122
... Referer: http://localhost:8081/@@grant.html
124
... field.principal=em9wZS5tZ3I_"""
125
... """&field.principal.displayed=y"""
126
... """&field.principal.MA__.searchstring="""
127
... """&field.em9wZS5tZ3I_.role.zope.Member=allow"""
128
... """&field.em9wZS5tZ3I_.role.zope.Member-empty-marker=1"""
129
... """&field.em9wZS5tZ3I_.permission.zope.ManageCode=deny"""
130
... """&field.em9wZS5tZ3I_.permission.zope.ManageCode-empty-marker=1"""
131
... """&GRANT_SUBMIT=Change""")
136
<label for="field.em9wZS5tZ3I_.role.zope.Member.0" title="Allow">
137
<input class="radioType" checked="checked" id="field.em9wZS5tZ3I_.role.zope.Member.0" name="field.em9wZS5tZ3I_.role.zope.Member" type="radio" value="allow" onclick="changeMatrix(this);" />
144
<label for="field.em9wZS5tZ3I_.role.zope.Member.1" title="Unset">
145
<input class="radioType" id="field.em9wZS5tZ3I_.role.zope.Member.1" name="field.em9wZS5tZ3I_.role.zope.Member" type="radio" value="unset" onclick="changeMatrix(this);" />
152
<label for="field.em9wZS5tZ3I_.role.zope.Member.2" title="Deny">
153
<input class="radioType" id="field.em9wZS5tZ3I_.role.zope.Member.2" name="field.em9wZS5tZ3I_.role.zope.Member" type="radio" value="deny" onclick="changeMatrix(this);" />
160
<label for="field.em9wZS5tZ3I_.permission.zope.ManageCode.0" title="Allow">
161
<input class="radioType" id="field.em9wZS5tZ3I_.permission.zope.ManageCode.0" name="field.em9wZS5tZ3I_.permission.zope.ManageCode" type="radio" value="allow" onclick="changeMatrix(this);" />
168
<label for="field.em9wZS5tZ3I_.permission.zope.ManageCode.1" title="Unset">
169
<input class="radioType" id="field.em9wZS5tZ3I_.permission.zope.ManageCode.1" name="field.em9wZS5tZ3I_.permission.zope.ManageCode" type="radio" value="unset" onclick="changeMatrix(this);" />
176
<label for="field.em9wZS5tZ3I_.permission.zope.ManageCode.2" title="Deny">
177
<input class="radioType" checked="checked" id="field.em9wZS5tZ3I_.permission.zope.ManageCode.2" name="field.em9wZS5tZ3I_.permission.zope.ManageCode" type="radio" value="deny" onclick="changeMatrix(this);" />
182
And, if we check the grants, we see the changes:
184
>>> grants = zope.app.securitypolicy.interfaces.IGrantInfo(root)
186
>>> grants.principalPermissionGrant('zope.mgr', 'zope.ManageCode')
187
PermissionSetting: Deny
189
>>> role_grants = list(grants.getRolesForPrincipal('zope.mgr'))
190
>>> role_grants.sort()
192
... # doctest: +NORMALIZE_WHITESPACE
193
[('zope.Manager', PermissionSetting: Allow),
194
('zope.Member', PermissionSetting: Allow)]